mHealth: Boon or Bane?

In last month's issue, we elucidated the positive aspects of mHealth (use of mobile devices in a health-care setting) technology. After reviewing the examples of all the benefits mHealth technologies offer, it can be hard to imagine the downside. Yet, without the proper safeguards like the development of institutional policies, staff education and training in risks and prevention, the rapid and widespread adoption of these tools with unbridled enthusiasm carries huge risks for the patient and the provider. The two areas of greatest risk and vulnerability are the security of patient information and new ways in which mHealth may expose physicians to malpractice claims or other tort lawsuits.

Security and Privacy Breaches, and HIPAA

The Health Insurance Portability and Accountability Act (HIPAA), Public Law 104-191, 104th Congress, Aug. 21, 1996, www.hhs.gov/ocr/privacy/hipaa/administrative/statute/index.htm, 45 CFR 160, 162 and 164, passed by Congress in 1996, provides both rights and protections for group health plan members, including a mandate that covered entities keep patient records secure and accessible only to authorized parties. The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 extends these protections to the electronic transmission of electronic health information (the security regulations are found at 45 C.F.R. parts 160 and 164, subpart C (Security Rule); the privacy regulations are found at 45 C.F.R parts 160 and 164, subpart E (Privacy Rule)).

Security and Privacy Breaches

Security and privacy go hand-in-hand: keeping patient records secure keeps patient privacy intact. Securing health records has always been a challenge, but it turns out to be even more difficult as paper records go digital and become both portable and transmittable.

Concerns about security breaches are getting a lot of attention these days both in and out of the health care industry. Data breaches run the gamut from sophisticated hacking to simple human error. Take the cyber theft of personal data of about 100 million Sony Customers earlier this year. It's not just a public relations nightmare ' as of this writing there are at least 25 lawsuits against Sony related to the breach in the works. “Data breach suit grows, but damaged hard to prove,” Business Insurance, May 12, 2001 www.businessinsurance.com/article/20110512/NEWS01/110519979. But it doesn't take a cyber attack to be exposed to huge financial penalties. Massachusetts General Hospital recently agreed to a $1 million settlement to satisfy a HIPAA violation when an employee left paper patient records on a subway train. “Massachusetts General Hospital Settles Potential HIPAA Violations,” U.S. Dept. of Health & Human Services news release, Feb. 24, 2011, www.hhs.gov/news/press/2011pres/02/20110224b.html. Obviously, even a small breach can have a stiff penalty.

HIPAA Breaches

The U.S. Department of Health and Human Services website lists HIPAA security breaches affecting 500 or more people. As of May 29, 2011, there have been 278 breaches of this size, ranging from incidents of loss, theft, unauthorized access, disclosure, hacking or IT incidents and improper disposal. Of these 278 breaches, 48 involved loss, and 22 of those losses involved a portable electronic device. 57 of the 278 breaches involved theft and 75 breaches involved laptops (almost all of them theft). “Breaches Affecting 500 or More Individuals, U.S. Dept. of Health & Human Services, www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html.

The following true-life cases give an idea of the kinds of breaches that can occur when computers and mobile devices are used in the health care setting:

• Our Lady of Peace Hospital in Kentucky reported the loss of a USB drive with unencrypted files of 24,600 patients. “Drive Encryption Software: Our Lady of Peace Hospital Loses 24,600 Patient Data,” May 5, 2010, www.alertboot.com/blog/blogs/endpoint_security/archive/2010/05/05/drive-encryption-software-our-lady-of-peace-hospital-loses-24-600-patient-data.aspx.
• A Geisinger Wyoming Valley Medical Center physician in Wilkes-Barre, PA, sent health records to his home e-mail without encrypting them. Nearly 3,000 patients were notified in letters that their health information may have been compromised. Allabaugh, Denise, “Patient Contacts Lawyer After Protected Health Information Compromised,” Dec. 29, 2010, http://thedailyreview.com/news/patient-contacts-lawyer-after-protected-health-information-compromised-1.1083367.
• MidState Medical Center in Meriden, CT, notified 93,500 patients that an employee who wanted to work at home improperly transferred information to a personal hard drive. Buck, Rinker, “Hospital Records Breach Involves 93,500 Patients”, April 5, 2011, http://articles.courant.com/2011-04-05/health/hc-buck-database-theft-at-midstate-0420110405_1_hard-drive-hartford-healthcare-patients.
• The University of Arkansas for Medical Sciences reported the theft of a digital camera that had been used to photograph newborn babies at the hospital. Privacy Policy ' Public FAQ, University of Arkansas for Medical Sciences, www.uamshealth.com/Breach.
• South Shore Hospital in Weymouth, MA, lost the records of 800,000 people when hard drives were lost in transit between the hospital and the company contracted to destroy the files. Finucane, Martin, “Hospital Says 800K Records May Be Missing,” Boston.com, July 19, 2010, www.boston.com/news/local/breaking_news/2010/07/hospital_says_8.html.

And consider this: It is much easier to lose a smartphone, BlackBerry or tablet than it is to lose a paper record, entire computer or hard drive. So it is inevitable that as the use of these devices in the medical workplace skyrockets, data breaches and security compromises will occur. Echoing this point, an executive for Diversinet (which produces secure mobile platforms for use with healthcare apps) has recommended that not only should the data be encrypted but that apps should be able to be deactivated or deleted if a mobile device is lost, similar to the way lost credit cards are deactivated by banks. Versal, Neil, “How Mobile Health Can Abide by HIPAA, Apr 20, 2011, http://mobihealthnews.com/10747/how-mobile-health-can-abide-by-hipaa/.

Medical Malpractice

Although HIPAA's Privacy and Security Rules are designed to protect patients, a violation is not grounds for a lawsuit by an individual. All complaints are filed with the U.S. Department of Health and Human Services' Office for Civil Rights (OCR), which investigates and metes out penalties. However, the changes mHealth technologies bring to the way hospitals and physicians work go beyond security and privacy concerns and have implications for how malpractice suits are handled.

It is only a matter of time before the use of medical apps on mobile devices is a factor in a malpractice lawsuit. We can guess at some of the issues their use will raise:

• Are apps that allow providers to view scans and other images on portable devices up to snuff? Is the quality of the image good enough to make an accurate diagnosis? Is the quality as good as viewing the image at the facility and, if not, does using a device in lieu of an in-person viewing violate the standard of care? These questions will inevitably arise in malpractice suits where apps used on mobile devices are used for diagnosis and treatment decisions.
• Will the rush to embrace these technologies by healthcare providers affect the legal standard of care over time? For now, we see the convenience these devices and apps offer providers who can access a wealth of medical and patient information wherever they are, but will the convenience factor eventually shift physician practices and patient expectations to the point of also shifting the standard of care? If so, will this expose physicians who chose not to use them to malpractice risk?

Conclusion

For now, lawyers have a new set of questions to ask in discovery ' of their own clients and of the opposition:

• What data was stored or accessed on a mobile device?
• If the device was used to view images, should there be access to the device for expert review?
• What apps were used to obtain information ' whether as a research tool or to provide direct patient care?
• If e-mails and texts were exchanged with the patient, are they included in the EMR, in the same way that telephone messages may be included in a paper chart?
• How did the providers track what information they received and what advice they gave when using a mobile device? Is that information stored somewhere in a way that could or should be mined?

The use of any technology has its growing pains, and mHealth will be no different. However, until issues of privacy and security can be addressed, it would be best for physicians to limit their use of mHealth to nonconfidential communications. The risks currently outweigh the benefits.

Linda S. Crawford, a member of this newsletter's Board of Editors, teaches trial advocacy at Harvard Law School and has been consulting with defendants on research-based effectiveness at deposition and trial since 1985.

In last month's issue, we elucidated the positive aspects of mHealth (use of mobile devices in a health-care setting) technology. After reviewing the examples of all the benefits mHealth technologies offer, it can be hard to imagine the downside. Yet, without the proper safeguards like the development of institutional policies, staff education and training in risks and prevention, the rapid and widespread adoption of these tools with unbridled enthusiasm carries huge risks for the patient and the provider. The two areas of greatest risk and vulnerability are the security of patient information and new ways in which mHealth may expose physicians to malpractice claims or other tort lawsuits.

Security and Privacy Breaches, and HIPAA

The Health Insurance Portability and Accountability Act (HIPAA), Public Law 104-191, 104th Congress, Aug. 21, 1996, www.hhs.gov/ocr/privacy/hipaa/administrative/statute/index.htm, 45 CFR 160, 162 and 164, passed by Congress in 1996, provides both rights and protections for group health plan members, including a mandate that covered entities keep patient records secure and accessible only to authorized parties. The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 extends these protections to the electronic transmission of electronic health information (the security regulations are found at 45 C.F.R. parts 160 and 164, subpart C (Security Rule); the privacy regulations are found at 45 C.F.R parts 160 and 164, subpart E (Privacy Rule)).

Security and Privacy Breaches

Security and privacy go hand-in-hand: keeping patient records secure keeps patient privacy intact. Securing health records has always been a challenge, but it turns out to be even more difficult as paper records go digital and become both portable and transmittable.

Concerns about security breaches are getting a lot of attention these days both in and out of the health care industry. Data breaches run the gamut from sophisticated hacking to simple human error. Take the cyber theft of personal data of about 100 million Sony Customers earlier this year. It's not just a public relations nightmare ' as of this writing there are at least 25 lawsuits against Sony related to the breach in the works. “Data breach suit grows, but damaged hard to prove,” Business Insurance, May 12, 2001 www.businessinsurance.com/article/20110512/NEWS01/110519979. But it doesn't take a cyber attack to be exposed to huge financial penalties. Massachusetts General Hospital recently agreed to a $1 million settlement to satisfy a HIPAA violation when an employee left paper patient records on a subway train. “Massachusetts General Hospital Settles Potential HIPAA Violations,” U.S. Dept. of Health & Human Services news release, Feb. 24, 2011, www.hhs.gov/news/press/2011pres/02/20110224b.html. Obviously, even a small breach can have a stiff penalty.

HIPAA Breaches

The U.S. Department of Health and Human Services website lists HIPAA security breaches affecting 500 or more people. As of May 29, 2011, there have been 278 breaches of this size, ranging from incidents of loss, theft, unauthorized access, disclosure, hacking or IT incidents and improper disposal. Of these 278 breaches, 48 involved loss, and 22 of those losses involved a portable electronic device. 57 of the 278 breaches involved theft and 75 breaches involved laptops (almost all of them theft). “Breaches Affecting 500 or More Individuals, U.S. Dept. of Health & Human Services, www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html.

The following true-life cases give an idea of the kinds of breaches that can occur when computers and mobile devices are used in the health care setting:

• Our Lady of Peace Hospital in Kentucky reported the loss of a USB drive with unencrypted files of 24,600 patients. “Drive Encryption Software: Our Lady of Peace Hospital Loses 24,600 Patient Data,” May 5, 2010, www.alertboot.com/blog/blogs/endpoint_security/archive/2010/05/05/drive-encryption-software-our-lady-of-peace-hospital-loses-24-600-patient-data.aspx.
• A Geisinger Wyoming Valley Medical Center physician in Wilkes-Barre, PA, sent health records to his home e-mail without encrypting them. Nearly 3,000 patients were notified in letters that their health information may have been compromised. Allabaugh, Denise, “Patient Contacts Lawyer After Protected Health Information Compromised,” Dec. 29, 2010, http://thedailyreview.com/news/patient-contacts-lawyer-after-protected-health-information-compromised-1.1083367.
• MidState Medical Center in Meriden, CT, notified 93,500 patients that an employee who wanted to work at home improperly transferred information to a personal hard drive. Buck, Rinker, “Hospital Records Breach Involves 93,500 Patients”, April 5, 2011, http://articles.courant.com/2011-04-05/health/hc-buck-database-theft-at-midstate-0420110405_1_hard-drive-hartford-healthcare-patients.
• The University of Arkansas for Medical Sciences reported the theft of a digital camera that had been used to photograph newborn babies at the hospital. Privacy Policy ' Public FAQ, University of Arkansas for Medical Sciences, www.uamshealth.com/Breach.
• South Shore Hospital in Weymouth, MA, lost the records of 800,000 people when hard drives were lost in transit between the hospital and the company contracted to destroy the files. Finucane, Martin, “Hospital Says 800K Records May Be Missing,” Boston.com, July 19, 2010, www.boston.com/news/local/breaking_news/2010/07/hospital_says_8.html.

And consider this: It is much easier to lose a smartphone, BlackBerry or tablet than it is to lose a paper record, entire computer or hard drive. So it is inevitable that as the use of these devices in the medical workplace skyrockets, data breaches and security compromises will occur. Echoing this point, an executive for Diversinet (which produces secure mobile platforms for use with healthcare apps) has recommended that not only should the data be encrypted but that apps should be able to be deactivated or deleted if a mobile device is lost, similar to the way lost credit cards are deactivated by banks. Versal, Neil, “How Mobile Health Can Abide by HIPAA, Apr 20, 2011, http://mobihealthnews.com/10747/how-mobile-health-can-abide-by-hipaa/.

Medical Malpractice

Although HIPAA's Privacy and Security Rules are designed to protect patients, a violation is not grounds for a lawsuit by an individual. All complaints are filed with the U.S. Department of Health and Human Services' Office for Civil Rights (OCR), which investigates and metes out penalties. However, the changes mHealth technologies bring to the way hospitals and physicians work go beyond security and privacy concerns and have implications for how malpractice suits are handled.

It is only a matter of time before the use of medical apps on mobile devices is a factor in a malpractice lawsuit. We can guess at some of the issues their use will raise:

• Are apps that allow providers to view scans and other images on portable devices up to snuff? Is the quality of the image good enough to make an accurate diagnosis? Is the quality as good as viewing the image at the facility and, if not, does using a device in lieu of an in-person viewing violate the standard of care? These questions will inevitably arise in malpractice suits where apps used on mobile devices are used for diagnosis and treatment decisions.
• Will the rush to embrace these technologies by healthcare providers affect the legal standard of care over time? For now, we see the convenience these devices and apps offer providers who can access a wealth of medical and patient information wherever they are, but will the convenience factor eventually shift physician practices and patient expectations to the point of also shifting the standard of care? If so, will this expose physicians who chose not to use them to malpractice risk?

Conclusion

For now, lawyers have a new set of questions to ask in discovery ' of their own clients and of the opposition:

• What data was stored or accessed on a mobile device?
• If the device was used to view images, should there be access to the device for expert review?
• What apps were used to obtain information ' whether as a research tool or to provide direct patient care?
• If e-mails and texts were exchanged with the patient, are they included in the EMR, in the same way that telephone messages may be included in a paper chart?
• How did the providers track what information they received and what advice they gave when using a mobile device? Is that information stored somewhere in a way that could or should be mined?

The use of any technology has its growing pains, and mHealth will be no different. However, until issues of privacy and security can be addressed, it would be best for physicians to limit their use of mHealth to nonconfidential communications. The risks currently outweigh the benefits.

Linda S. Crawford, a member of this newsletter's Board of Editors, teaches trial advocacy at Harvard Law School and has been consulting with defendants on research-based effectiveness at deposition and trial since 1985.